[MDEV-11601] Out-of-bounds string access in create_schema_table() - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1(EOL)
Fix Version/s: 10.1.21, 10.2.4
Component/s: Server
Labels:
None
Environment:
Debian GNU/Linux

Description

Apparently all tests that access the information_schema.processlist table would crash when the server is built with cmake -DWITH_ASAN, due to an out-of-bounds string access, reported like this:

CURRENT_TEST: innodb.innodb_bug12400341

mysqltest: At line 64: query 'select count(*) from information_schema.processlist' failed: 2013: Lost connection to MySQL server during query

this one is something definitely outside InnoDB:

==32392==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000018b90ac at pc 0x00000176c633 bp 0x7f8ceda19960 sp 0x7f8ceda19958

READ of size 1 at 0x0000018b90ac thread T55

   #0 0x176c632 in my_string_repertoire_8bit /home/marko/mariadb/server/strings/ctype.c:829:18

   #1 0x176c6bf in my_string_metadata_get /home/marko/mariadb/server/strings/ctype.c:895:27

   #2 0x6f6312 in Item_string::Item_string(THD*, char const*, unsigned int, charset_info_st const*, Derivation) /home/marko/mariadb/server/sql/item.h:2978:37

   #3 0x6f61ee in Item_partition_func_safe_string::Item_partition_func_safe_string(THD*, char const*, unsigned int, charset_info_st const*) /home/marko/mariadb/server/sql/item.h:3183:5

   #4 0x94d293 in Item_blob::Item_blob(THD*, char const*, unsigned int) /home/marko/mariadb/server/sql/item.h:3209:5

   #5 0x93761f in create_schema_table(THD*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7557:13

   #6 0x93955c in mysql_schema_table(THD*, LEX*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7806:16

…

0x0000018b90ac is located 52 bytes to the left of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8837:4' (0x18b90e0) of size 12

 '<string literal>' is ascii string 'Info_binary'

0x0000018b90ac is located 0 bytes to the right of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8836:4' (0x18b90a0) of size 12

 '<string literal>' is ascii string 'INFO_BINARY'

The patch below works around the issue and allows the tests to pass (albeit with memory leaks ignored, because there is no ./mtr --sanitize option available):

diff --git a/sql/sql_show.cc b/sql/sql_show.cc

index ae3874506dd..c3610da05af 100644

--- a/sql/sql_show.cc

+++ b/sql/sql_show.cc

@@ -7555,7 +7555,8 @@ TABLE *create_schema_table(THD *thd, TABLE_LIST *table_list)

     case MYSQL_TYPE_BLOB:

       if (!(item= new (mem_root)

             Item_blob(thd, fields_info->field_name,

-                      fields_info->field_length)))

+                      std::min(unsigned (strlen(fields_info->field_name)),

+                               fields_info->field_length))))

         DBUG_RETURN(0);

Note that in MariaDB 10.2, cmake -DWITH_ASAN does not work at all at the moment (the feature availability check fails).

Attachments

Issue Links

relates to

MDEV-9105 Test failures under valgrind

Closed

Activity

Marko Mäkelä added a comment - 2016-12-19 12:51

For what it is worth, MariaDB Server 10.0.29 does not seem to be affected by this issue. (Tests that access information_schema.processlist do not trigger any sanitizer messages.)

Marko Mäkelä added a comment - 2016-12-19 12:51 For what it is worth, MariaDB Server 10.0.29 does not seem to be affected by this issue. (Tests that access information_schema.processlist do not trigger any sanitizer messages.)

People

Assignee:: Sergei Golubchik

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016-12-19 09:47

Updated:: 2017-02-09 14:05

Resolved:: 2017-01-17 21:25

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.